Problem with check_eventlog

33 views
Skip to first unread message

Stefan Rudat

unread,
Oct 10, 2024, 8:13:24 AM10/10/24
to SNClient

Hi Seven,

Due to security reasons, we would like to replace NSClient++. Currently, we are testing  SNClient+ v0.27 (Build: 365bf0d, go1.22.6) | ‘version’ = 0.27. During the evaluation process,  we encountered issues with the check_eventlog command. Specifically, the command: 


-c check_eventlog   -a "filter=provider = 'Microsoft-Windows-GroupPolicy'"

always returns “OK - Event log seems fine,” even though the following event is present:

 

Protokollname: Application

Quelle:        Microsoft-Windows-Security-SPP

Datum:         10.10.2024 12:37:31

Ereignis-ID:   8198

Aufgabenkategorie:Keine

Ebene:         Fehler

Schlüsselwörter:Klassisch

 

 

BR 

Stefan 

Sven Nierlein

unread,
Oct 10, 2024, 8:16:36 AM10/10/24
to sncl...@googlegroups.com, Stefan Rudat
Hi,

could you try the latest nightly build, because there has been an issue fixed in
https://github.com/ConSol-Monitoring/snclient/issues/157

Cheers,
Sven
> --
> You received this message because you are subscribed to the Google Groups "SNClient" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer>.

Stefan Rudat

unread,
Oct 15, 2024, 2:50:44 AM10/15/24
to SNClient
Hi Sven,

Thank you for your quick response. We have installed the latest nightly build version and conducted some tests with the trace function enabled.
I hope we used the correct command syntax. Please find the attached trace, which includes the version used, the result, and the corresponding Windows event.

Unfortunately, we are still receiving the message “OK - Event log seems fine” when using both commands, “id=8198” and “filter=provider = 'Microsoft-Windows-Security-SPP’”.


SNClient+ v0.27.0030 (Build: d7f2f28, go1.22.8) |'version'=0.27003


[2024-10-11 10:44:05.791][Trace][pid:1972][listener:317] incoming nrpe connection from 192.168.107.60:50932
[2024-10-11 10:44:05.811][Trace][pid:1972][listen_nrpe:106] nrpe v2 request: check_eventlog []string{" filter=provider = 'Microsoft-Windows-Security-SPP'  id = 8198"}
[2024-10-11 10:44:05.811][Trace][pid:1972][snclient:694] command: check_eventlog
[2024-10-11 10:44:05.811][Trace][pid:1972][snclient:695] args: []string{" filter=provider = 'Microsoft-Windows-Security-SPP'  id = 8198"}
[2024-10-11 10:44:05.811][Debug][pid:1972][listener:337] nrpe connection from 192.168.107.60:50932 finished in 19.6614ms
[2024-10-11 10:44:13.407][Trace][pid:1972][listener:317] incoming nrpe connection from 192.168.107.60:33194
[2024-10-11 10:44:13.437][Trace][pid:1972][listen_nrpe:106] nrpe v2 request: check_eventlog []string{" filter=provider = 'Microsoft-Windows-Security-SPP' and  id = 8198"}
[2024-10-11 10:44:13.437][Trace][pid:1972][snclient:694] command: check_eventlog
[2024-10-11 10:44:13.437][Trace][pid:1972][snclient:695] args: []string{" filter=provider = 'Microsoft-Windows-Security-SPP' and  id = 8198"}
[2024-10-11 10:44:13.474][Trace][pid:1972][check_eventlog_windows:51] fetching eventlog: Application
...
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-16384
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-8198
[2024-10-11 10:44:13.873][Trace][pid:1972][check_eventlog_windows:86] expanded unique filter: Application-Microsoft-Windows-Security-SPP-1003
....
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:120] finalize check results:
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:128] filter:             provider = 'Microsoft-Windows-Security-SPP' and  id = 8198
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:129] condition  warning: level = 'warning' or problem_count > 0
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:130] condition critical: level in ('error', 'critical')
[2024-10-11 10:44:17.588][Debug][pid:1972][checkdata:131] condition       ok: none
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:133] details: map[string]string{"_state":"0", "detail-syntax":"%(file) %(source) (%(message))", "empty-syntax":"%(status) - No entries found", "ok-syntax":"%(status) - Event log seems fine", "top-syntax":"%(status) - %(count) message(s) %(problem_list)"}
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:151] list data:
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:174]  - map[string]string{"_count":"5", "_state":"0", "computer":"VMSRV19-TESTVD.BSI.local", "file":"Application", "id":"8198", "level":"fehler", "log":"Application", "message":"Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode:\r\nhr=0x87E10BC6\r\nBefehlszeilenargumente:\r\nRuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4", "provider":"Microsoft-Windows-Security-SPP", "source":"Microsoft-Windows-Security-SPP", "written":"2024-10-11 09:05:13 CEST", "writtenTS":"1728630313"}
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:179] detail template: %(file) %(source) (%(message))
[2024-10-11 10:44:17.588][Trace][pid:1972][checkdata:213] output template: %(status) - Event log seems fine
[2024-10-11 10:44:17.588][Debug][pid:1972][listener:337] nrpe connection from 192.168.107.60:33194 finished in 4.1808928s



Protokollname: Application
Quelle:        Microsoft-Windows-Security-SPP
Datum:         11.10.2024 09:05:13

Ereignis-ID:   8198
Aufgabenkategorie:Keine
Ebene:         Fehler
Schlüsselwörter:Klassisch
Benutzer:      Nicht zutreffend
Computer:      VMSRV19-TESTVD.BSI.local
Beschreibung:
Fehler bei der Lizenzaktivierung (slui.exe). Fehlercode:
hr=0x87E10BC6
Befehlszeilenargumente:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4
Ereignis-XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
    <EventID Qualifiers="49152">8198</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2024-10-11T07:05:13.092429300Z" />
    <EventRecordID>20714</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>VMSRV19-TESTVD.BSI.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>hr=0x87E10BC6</Data>
    <Data>RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=175a4401-9571-44e3-b7ed-1418ac983e2b;NotificationInterval=1440;Trigger=UserLogon;SessionId=4</Data>
  </EventData>
</Event>

Stefan Rudat

unread,
Oct 15, 2024, 2:50:49 AM10/15/24
to SNClient

Hi Sven,

 

To proceed with the evaluation process, I used a small script. However, I encountered an issue where the level was numeric (`<Level>2</Level>`). I’ll include the test script below for your reference.


>< --------------------------------- cut from here with a sharp knife ---------------------------------------------------><

# Check-EventID.ps1

param (
    [int]$EventID,
    [string]$LogName = "Application"
)
$event = Get-WinEvent -FilterHashtable @{LogName=$LogName; ID=$EventID} -MaxEvents 1

if ($event) {
    # Directly use the Level field (numerical value)
    switch ($event.Level) {
        1 { $level = "Critical" }
        2 { $level = "Error" }
        3 { $level = "Warning" }
        4 { $level = "Information" }
        5 { $level = "Verbose" }
        default { $level = "Unknown" }
    }

    switch ($level) {
        "Critical" {
            Write-Output "CRITICAL - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
            exit 2  
        }
        "Error" {
            Write-Output "CRITICAL - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
            exit 2 
        }
        "Warning" {
            Write-Output "WARNING - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
            exit 1  os
        }
        "Information" {
            Write-Output "OK - Event ID $EventID found in $LogName log. Event details: $($event.Message)"
            exit 0  
        }
        default {
            Write-Output "UNKNOWN - Event ID $EventID found in $LogName log but level is unknown. Event details: $($event.Message)"
            exit 3  
        }
    }
} else {
    Write-Output "OK - No Event ID $EventID found in $LogName log."
    exit 0  
}

>< --------------------------------- until  here ---------------------------------------------------><

$command  -u -2 -H $IP -c EventCheck  -a "8194 Application"
CRITICAL - Event ID 8194 found in Application log. Event details: Die clientseitige Erweiterung konnte die Benutzer-Richtlinieneinstellungen f�r Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9} nicht �bernehmen. Fehlercode: 0x80070003 Das System kann den angegebenen Pfad nicht finden. Weitere Details finden Sie in der Ablaufverfolgungsdatei

BR
Stefan 
Sven Nierlein schrieb am Donnerstag, 10. Oktober 2024 um 14:16:36 UTC+2:

Sven Nierlein

unread,
Jan 23, 2025, 4:25:59 AMJan 23
to Stefan Rudat, sncl...@googlegroups.com
Hi,

i finally was able to have a close look. The issue here is, the snclient fetches the event log via wmi. But wmi cannot access
the "custom logs". Seems like this is only possible with either the powershell get-winevent or the wevtutil.exe.
I'll see if i can incorporate those commands in the check_eventlog...

Regards,
Sven
> https://github.com/ConSol-Monitoring/snclient/issues/157 <https://github.com/ConSol-Monitoring/snclient/issues/157>
>
> Cheers,
> Sven
>
>
> On 10.10.24 14:07, Stefan Rudat wrote:
> > Hi Seven,
> >
> > Due to security reasons, we would like to replace NSClient++. Currently, we are testing  SNClient+ v0.27 (Build: 365bf0d, go1.22.6) | ‘version’ = 0.27. During the evaluation process,  we encountered issues with the check_eventlog command. Specifically, the command:
> >
> >
> > -c check_eventlog   -a "filter=provider = 'Microsoft-Windows-GroupPolicy'"
> >
> > always returns “OK - Event log seems fine,” even though the following event is present:
> >
> > Protokollname: Application
> >
> > Quelle:        Microsoft-Windows-Security-SPP
> >
> > Datum:         10.10.2024 12:37:31
> >
> > Ereignis-ID:   8198
> >
> > Aufgabenkategorie:Keine
> >
> > Ebene:         Fehler
> >
> > Schlüsselwörter:Klassisch
> >
> > BR
> >
> > Stefan
> >
> > --
> > You received this message because you are subscribed to the Google Groups "SNClient" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com> <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer <https://groups.google.com/d/msgid/snclient/ef193850-05c2-4fdc-ad86-7170de62733bn%40googlegroups.com?utm_medium=email&utm_source=footer>>.
>
> --
> You received this message because you are subscribed to the Google Groups "SNClient" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to snclient+u...@googlegroups.com <mailto:snclient+u...@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/snclient/fed8dc60-19cc-4c59-9bd5-51920c96f1b8n%40googlegroups.com <https://groups.google.com/d/msgid/snclient/fed8dc60-19cc-4c59-9bd5-51920c96f1b8n%40googlegroups.com?utm_medium=email&utm_source=footer>.

OpenPGP_signature.asc
Reply all
Reply to author
Forward
0 new messages